DNSSEC Signing & Key Questions

McConville, Kevin kmcconville at albany.edu
Tue Oct 4 19:09:50 UTC 2011

I'm new to this list, so please bear with me if these are/seem like "newbie" questions.

We are currently evaluating a DNSSEC implementation. We have several static zones that we would like to implement first.   We are currently using ISC Bind 9.7.4 - In the test environment (1) Authoritative dns server and (1) Resolver dns server, both running RHEL 5.7.  We do have an on-hold Opendnssec server w/softhsm (we are trying to look at the built-in utilities of isc bind first).

We are trying to make the DNSSEC piece as automatic as possible, so here are where we are having issues.

1)      Is there any way to have the zsk be auto-generated based upon the inactive date listed in the zsk meta-data? I know we can pre-publish and then use dnssec-settime to change the meta-data, but still very hands-on.

2)      With a static zone, are the update-policy local and auto-dnssec maintain options invalid/don't work? From the docs, they look like they are only for automation of dynamic zones?

3)      Are there any ways to automate zone signing and zsk generation/roll-over with a totally static zone environment?

4)      What key-management, zone-signing management utilities or programs have you found useful/helpful?

Any suggestions, comments, or questions are greatly appreciated. Thank you in advance.



Kevin McConville

University at Albany

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111004/c740181d/attachment.html>

More information about the bind-users mailing list